Control: found -1 0.2-3 Hi Sebastian
On Wed, Jan 02, 2013 at 08:09:10PM +0100, Sebastian Ramacher wrote: > Control: found -1 0.7.1-1 > > On 2012-12-29 09:42:08, Salvatore Bonaccorso wrote: > > Hi Carl > > > > Reading trough the code a bit: > > > > On Sat, Dec 29, 2012 at 08:56:07AM +0100, Salvatore Bonaccorso wrote: > > > > http://www.openwall.com/lists/oss-security/2012/11/16/2 > > > > http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5577.html > > > > http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5578.html > > > > These seems to be introduced in upstream 0.9.1 by fixing: > > > > * CryptedFileKeyring now uses PBKDF2 to derive the key from the user's > > password and a random hash. The IV is chosen randomly as well. All the > > stored passwords are encrypted at once. Any keyrings using the old format > > will be automatically converted to the new format (but will no longer be > > compatible with 0.9 and earlier). The user's password is no longer limited > > to 32 characters. PyCrypto 2.5 or greater is now required for this > > keyring. > > > > which is [1,2]. If I see it correctly introduced with commit[3], > > changed at least to current form in [4]. > > > > [1]: http://bugs.debian.org/675379 (CVE-2012-4571) > > [2]: https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845 > > [3]: > > https://bitbucket.org/kang/python-keyring-lib/commits/576e21ab1e6dba1cfb13a1112841798679c21057 > > > > [4]: > > https://bitbucket.org/kang/python-keyring-lib/commits/7b324f00f28d28afb9be371f0f4088d385cc15f2 > > > > Does this looks correct? > > > > So if wheezy will get a fix for CVE-2012-4571, then it also needs the > > above fixes. > > 0.7.x creates the keyring word-readable too. Running > /usr/share/doc/python-keyring/examples/demo.py from 0.7.1-1 gives a > ~/crypted_pass.cfg with mode 0644. So this should be fixed in wheezy > anyway [1]. > > Marking 0.7.1-1 as affected. > > Regards > > [1] I'm currently preparing a fix for CVE-2012-4571 in wheezy. I'll > backport the fix for this issue too. Thanks for correcting me and rechecking this also for wheezy. Marked as unfixed now again in the security-tracker. My approach only looking at the commits was wrong (think learned another lesson). Also Squeeze produces a worldreadable file with the demo.py! Regards, Salvatore
signature.asc
Description: Digital signature
